United States: The USA Patriot Act and the Privacy of Data Stored in the Cloud

European consumers have expressed concern that the USA Patriot
Act (the "Uniting and Strengthening America by Providing
Appropriate Tools Required to Intercept and Obstruct Terrorism Act
of 2001" or "Patriot Act") will afford the US
government undue and unfettered access to their data if they choose
to store it on the cloud servers of US providers (e.g., Microsoft
or IBM). A recent survey found that 70 percent of Europeans have
concerns about their online data and how well it is secured. For
many, these fears were exacerbated by an announcement by Gordon
Frazer, the managing director of Microsoft UK, that he could not
guarantee that data stored on Microsoft servers, wherever located,
would not end up in the hands of the US government, because
Microsoft, a company based in the United States, is subject to US
laws, including the Patriot Act. Aware of these concerns, some EU
data centers have gone so far as to advertise that they provide
"a safe haven from the reaches of the Patriot Act."

To evaluate the validity of these concerns, several questions
must be considered. First, exactly what information does the
Patriot Act reach? Second, how likely is it, as a practical matter,
that the Patriot Act will ever be used to reach a European
company's data stored in the cloud? Finally, how does that risk
compare with exposure that European companies already face, such as
the prospect of their home-country governments accessing their
cloud-stored data? As Ambassador Phillip Verveer, the US State
Department's Coordinator for International Communications and
Information Policy, explains, "[t]he PATRIOT Act has come to
be a kind of label for [privacy] concerns.... We think, to some
extent, it's taking advantage of a misperception, and we'd
like to clear up that misperception."

This article seeks to dispel some of the myths shrouding the
Patriot Act, and to provide an assessment of the risks the Patriot
Act poses to data stored in the cloud, particularly where the data,
or its owner, are based outside of the United States.

Patriot Act Discovery Tools for Law Enforcement

Contrary to a common misconception, the Patriot Act did not
create entirely new procedural mechanisms for US law enforcement to
use to obtain data in furtherance of its investigations. However,
the Patriot Act did expand certain discovery mechanisms already
available to US law enforcement. Two of these expanded mechanisms
that US law enforcement could use to access data in the cloud that
warrant discussion are FISA Orders and National Security
Letters.

FISA Orders

Prior to enactment of the Patriot Act, the Foreign Intelligence
Surveillance Act permitted the FBI to apply to a special court, the
Foreign Intelligence Surveillance Court, for a FISA Order to obtain
the business records of third parties for the purpose of foreign
intelligence and international terrorism investigations.
Originally, however, such business records were limited to car
rental, hotel, storage locker, and common-carrier records.

Title II of the Patriot Act, "Enhanced Surveillance
Procedures," expanded the reach of FISA Orders to allow the
FBI to obtain "an order requiring the production of any
tangible things (including books, records, papers, documents and
other items) for an investigation to protect against international
terrorism and clandestine intelligence activities." This
includes data in the cloud. To obtain a FISA Order, the FBI must
specify that the tangible things sought are for an authorized
investigation either to obtain foreign intelligence information not
concerning a United States person or to protect against
international terrorism or clandestine intelligence activities.

FISA Orders, particularly as expanded under Section 215 of the
Patriot Act, have given rise to privacy concerns for several
reasons. First, such orders may be granted ex parte, meaning with
only the FBI presenting evidence to the court. Second, Section 215
includes a "gag" provision that prohibits the party that
receives a FISA Order from disclosing that fact. This typically
would prevent a cloud service provider from informing its customers
that the service provider had shared their data with the FBI in
response to a FISA Order. Third, the fact that Section 215 allows
the FBI to obtain a person's library records sparked
significant protests that the provision was invasive of reader
privacy. Finally, the American Civil Liberties Union objects that
"[t]he FBI need not show probable cause, nor even reasonable
grounds to believe, that the person whose records it seeks is
engaged in criminal activity."

In the USA Patriot Act Improvement and Reauthorization Act of
2005, enacted March 9, 2006, Congress took several steps to address
these concerns, including adding provisions to allow the recipient
of a FISA Order to oppose it before the Foreign Intelligence
Surveillance Court and also, after a one-year hiatus, to contest
the gag provision. Congress also required the US Attorney General
to promulgate regulations to "minimize the retention, and
prohibit the dissemination, of non-publicly available
information." Notwithstanding these efforts, privacy and civil
liberties advocates remain deeply troubled by Section 215.

What is the practical effect of FISA Orders on users of US cloud
services? The answer is that the FBI rarely uses FISA orders. In
2010, the US government made only 96 applications to the Foreign
Intelligence Surveillance Courts for FISA Orders granting access to
business records. There are several reasons why the FBI may be
reluctant to use FISA Orders: public outcry; internal FBI politics
necessary to obtain approval to seek FISA Orders; and the
availability of other, less controversial mechanisms, with greater
due process protections, to seek data that the FBI wants to access.
As a result, this Patriot Act tool poses little risk for cloud
users.

National Security Letters

The National Security Letter (NSL) is a form of administrative
subpoena that the FBI and other US government agencies can use to
obtain certain records and data pertaining to various types of
government investigations.

When the Patriot Act was enacted, there were already four
federal statutes authorizing enumerated government authorities
(chiefly the FBI) to issue NSLs. First, under the Right to
Financial Privacy Act (RFPA), the FBI and the Secret Service may
obtain financial records from financial institutions such as banks,
securities brokerages, car dealers, pawn brokers, casinos, and real
estate agents (accountants and auditors, however, are not
included).

Second, under the Fair Credit Reporting Act, the FBI may use a
NSL to obtain from a consumer reporting agency (e.g., the three
major credit bureaus: TransUnion, Equifax, Experian) the names and
addresses of all financial institutions at which a consumer
maintains or has maintained an account, plus consumer-identifying
information such as name, address and employment history.

Third, under the Electronic Communications Privacy Act, the FBI
may request, from wire or electronic service providers (including
Internet service providers), subscriber information, toll-billing
records information, and electronic communication transactions
records. The US Department of Justice takes the position that this
includes, with regard to email accounts, the name, address, and
length of service of a person, as well as email addresses
associated with an account and screen names.

Fourth, under the National Security Act, an authorized
government investigative agency may request any of the types of
information described above, from any of the sources described
above, when necessary to conduct security checks of government
employees or investigate US government employees believed to be
spying for foreign powers.

Title V of the Patriot Act, Removing Obstacles to Investigating
Terrorism, expanded the FBI's authority to make NSL requests
beyond its headquarters, to its 56 field offices; eliminated the
requirement that the information sought relate to a foreign power,
instead requiring that the NSL request be relevant to international
terrorism or foreign spying; and allowed the FBI to obtain full
consumer credit reports. The Patriot Act also added another NSL
section to the Fair Credit Reporting Act, this one allowing not
just the FBI, but any government agency, to obtain information from
a consumer- reporting agency in connection with international
terrorism or intelligence activities.

After the Patriot Act expanded the scope of NSLs as described
above, their use began to rise. The Department of Justice reported
to Congress that in 2010 the FBI made 24,287 NSL requests
(excluding requests for subscriber information only).

NSLs give rise to privacy concerns and, according to critics,
the potential for abuse, for several reasons. First, the FBI may
issue NSLs on its own initiative, without the authorization of any
court. (This was true even before the Patriot Act.) Nothing in the
Patriot Act provides for any judicial review of the FBI's
decision to issue an NSL. Second, the NSL statutes impose a gag
requirement on persons receiving an NSL. In addition, the Attorney
General Guidelines and various information-sharing agreements
require the FBI to share NSL information with other federal
agencies and the US intelligence community.

The Reauthorization Act tried to redress some of these concerns.
It provided a right to judicial review of NSLs and a right to
petition a court to lift the gag order. The Reauthorization Act
also provided criminal penalties for violating gag obligations with
the intent to obstruct an investigation.

So where does this complex statutory scheme leave cloud users?
While the use of NSLs is not uncommon, the types of data that US
authorities can gather from cloud service providers via an NSL is
limited. In particular, the FBI cannot properly insist via a NSL
that Internet service providers share the content of communications
or other underlying data. Rather, as set forth above, the statutory
provisions authorizing NSLs allow the FBI to obtain
"envelope" information from Internet service providers.
Indeed, the information that is specifically listed in the relevant
statute is limited to a customer's name, address, and length of
service.

The FBI often seeks more, such as who sent and received emails
and what websites customers visited. But, more recently, many
service providers receiving NSLs have limited the information they
give to customers' names, addresses, length of service and
phone billing records. "Beginning in late 2009, certain
electronic communications service providers no longer honored"
more expansive requests, FBI officials wrote in August 2011, in
response to questions from the Senate Judiciary Committee.

Although cloud users should expect their service providers that
have a US presence to comply with US law, users also can reasonably
ask that their cloud service providers limit what they share in
response to an NSL to the minimum required by law. If cloud service
providers do so, then their customers' data should typically
face only minimal exposure due to NSLs.

Other Law Enforcement Tools

As discussed above, the two law enforcement tools for discovery
of third-party data that were most significantly enhanced by the
Patriot Act and that have given rise to significant concerns by
European critics of the Patriot Act—FISA Orders and
NSLs—should not, as a practical matter, pose a
significant risk to European data on the servers of US-based cloud
providers. But it would be a mistake to end the analysis there.

Search Warrants and Grand Jury Subpoenas

US federal law enforcement has other, more traditional
mechanisms for obtaining information it deems necessary to support
its investigative efforts, such as search warrants (which must be
approved by a US court upon a showing of probable cause) and grand
jury subpoenas, which are issued by a US federal prosecutor in
support of an ongoing grand jury investigation (and which a
recipient may move to quash in court). These mechanisms also can be
used to obtain data stored in the cloud. Should the risks these
tools pose cause European companies to eschew US cloud
services?

At the outset, consider that search warrants and grand jury
subpoenas are hardly new. Search warrants trace their roots in the
United States back at least to the Bill of Rights (ratified in
1791): the Fourth Amendment provides for protection against
searches and seizures in the absence of a properly obtained
warrant. Similarly, the grand jury has been functioning as an
institution for receiving evidence of criminal activity since the
Magna Carta and also has been incorporated into the US
Constitution.

Moreover, Europeans (and others) have comparable discovery
mechanisms in their home countries. For example, in France, the
Police Nationale and the Gendarmerie Nationale both can execute
search warrants. Article 13 of Germany's Basic Law similarly
recognizes judicially ordered search warrants. And, of course, US
search warrants have their roots in English law. Accordingly, to
the extent European consumers wish to avoid any risk that any
government will access their cloud data, merely avoiding US service
providers is unlikely to help.

MLATs

Sequestering data on European cloud servers may be an
ineffective prophylactic against US government access for another
reason. The United States and most European governments have
entered into bilateral Mutual Legal Assistance Treaties (MLATs). In
a typical MLAT, the two countries commit to provide one another
with "the widest measure of mutual assistance in
investigations or proceedings in respect of criminal
offenses...."

In 2003, the United States and the European Union entered into
an MLAT with a provision addressing data protection. That provision
governs MLAT requests made pursuant to prior bilateral MLATs
between EU Member States and the United States. The comments to the
EUUS MLAT explain that this provision was "meant to ensure
that refusal of assistance on data protection grounds may be
invoked only in exceptional cases." Accordingly, US MLAT
requests, particularly those concerning terrorism investigations,
are seldom denied for data protection reasons.

US Jurisdictional Limitations

In the United States, only a party amenable to what is known as
"personal jurisdiction" can be subject to a search
warrant, grand jury subpoena, NSL, FISA Order or other enforceable
request for documents or data. The fundamental requirements for
exercising personal jurisdiction over an individual or corporation
are grounded in the Constitution, and the Patriot Act did not alter
those principles (nor did it purport to do so).

In the context of personal jurisdiction, due process
considerations prohibit courts from exercising jurisdiction over a
witness who lacks minimum contacts with the forum. In the case of a
corporation, this means that any corporation based in the United
States will be subject to US jurisdiction and, thus, can be subject
to FISA Orders, NSLs, search warrants, or grand jury subpoenas. The
same is generally true for a non-US corporation that has a location
in the United States or that conducts continuous and systematic
business in the United States.

Furthermore, an entity that is subject to US jurisdiction and is
served with a valid subpoena must produce any documents within its
"possession, custody, or control." That means that an
entity that is subject to US jurisdiction must produce not only
materials located within the United States, but any data or
materials it maintains in its branches or offices anywhere in the
world. The entity even may be required to produce data stored at a
non-US subsidiary.

What does this mean for non-US consumers of cloud services?
First, US law enforcement authorities may serve FISA Orders, NSLs,
warrants or subpoenas on any cloud service provider that is
US-based, has a US office, or conducts systematic or continuous US
business—even if the data is stored outside the United
States. Thus, merely choosing a European cloud service provider is
not enough to ensure that data is beyond the reach of US
jurisdiction and the Patriot Act.

Second, US law enforcement authorities may serve FISA Orders,
NSLs, warrants or subpoenas on any cloud service customer that is
US-based, has a US branch, or conducts systematic or continuous US
business—even if the data is stored outside the United
States. Many European entities have a US presence, and their US
presence will allow them to be subject directly to the authority of
US law enforcement, regardless of what company they use for cloud
storage.

The Patriot Act and European Data Protection

The European Commission's Directive on Data Protection
generally prohibits the transfer of personal data to non-European
Union countries that do not meet the EU "adequacy"
standard for privacy protection. While the United States and the
European Union share the goal of enhancing privacy protection for
their citizens, the United States takes a different approach to
privacy. To bridge these different privacy approaches, the
Department of Commerce, in consultation with the European
Commission, developed a "Safe Harbor" framework. By
joining and adhering to the EU-US Safe Harbor Agreement, US
companies can demonstrate that their data protection practices meet
EU data protection requirements. European companies then can share
data with US participants in the Safe Harbor agreement without
violating their home country data protection laws.

The Safe Harbor Agreement contains a provision that allows US
companies to comply with applicable US laws compelling the
production of data, including the Patriot Act. It is anticipated,
however, that at the World Economic Forum in January 2012, the
European Commission will announce legislation to repeal the
existing EU data protection directive and replace it with more a
robust framework. The new legislation might, among other things,
replace EU/US Safe Harbor regulations with a new approach that
would make it illegal for the US government to invoke the Patriot
Act on a cloud-based or data processing company in efforts to
acquire data held in the European Union. The Member States'
data protection agency with authority over the company's
European headquarters would have to agree to the data transfer.

The foregoing developments may significantly affect the legal
landscape for protection of data on the cloud servers in the
cross-border context and, thus, should be monitored closely.
However, it may be years before the new legislation is enacted (the
current EU Data Protection Directive took three years to be
enacted). By that time, changes in technology may present entirely
new challenges and considerations.

Conclusion

Consumers of cloud services are wise to consider all types of
risk to their data, whether from their home country's
government or another country's government. Merely avoiding US
cloud service providers based on concerns about the Patriot Act
does not solve the problem. That choice alone provides no assurance
that cloud data is beyond the reach of the Patriot Act, nor does it
provide protection against the risk that non-US governments will
access the cloud-stored data, either on their own initiative or in
response to a MLAT request from the United States.

Rather than making a selection based solely on the home country
of competing cloud providers, informed consumers of cloud services
should (i) consult legal counsel in their home country, in any
jurisdiction where their data may be stored, and in any
jurisdiction where their cloud service provider does business; (ii)
closely review their cloud services contracts and ask their
providers questions; and (iii) carefully consider all the relevant
risks before making a decision.

Mayer Brown is a global legal services organization
comprising legal practices that are separate entities (the Mayer
Brown Practices). The Mayer Brown Practices are: Mayer Brown LLP, a
limited liability partnership established in the United States;
Mayer Brown International LLP, a limited liability partnership
incorporated in England and Wales; Mayer Brown JSM, a Hong Kong
partnership, and its associated entities in Asia; and Tauil &
Chequer Advogados, a Brazilian law partnership with which Mayer
Brown is associated. "Mayer Brown" and the Mayer Brown
logo are the trademarks of the Mayer Brown Practices in their
respective jurisdictions.

This
Mayer Brown article provides information and comments on legal
issues and developments of interest. The foregoing is not a
comprehensive treatment of the subject matter covered and is not
intended to provide legal advice. Readers should seek specific
legal advice before taking any action with respect to the matters
discussed herein.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Although estimates of economic value in sourcing agreements generally focus on the pricing schedule and the products or services to be delivered, sourcing agreements also provide value by securing commitments, obtaining options, aligning incentives and supporting a successful relationship.

If you want to succeed in litigation these days, it is imperative that relevant electronic data be preserved. The destruction of such data can lead to serious adverse evidentiary inferences, as illuminated by a very recent case.

In the 1960s and 1970s source code was passed between a close knit community of programmers at the pre-eminent computer science institutions in the United States, such as MIT, Stanford, Carnegie Mellon and Berkeley.

Open Source software has been called the software that runs the Internet - from the Apache web server to the Mozilla browser and from the Linux operating system to the invisible inner workings of the Internet. Open Source refers not only to software programs and the unique licenses that govern them, but also to a philosophy and what some might call a movement.

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you
are granted a non-exclusive, revocable license to access the Website under its
terms and conditions of use. Your use of the Website constitutes your agreement
to the following terms and conditions of use. Mondaq Ltd may terminate your use
of the Website if you are in breach of these terms and conditions or if Mondaq
Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to
read the full text of the content and articles available (the Content). You may
not modify, publish, transmit, transfer or sell, reproduce, create derivative
works from, distribute, perform, link, display, or in any way exploit any of the
Content, in whole or in part, except as expressly permitted in these terms &
conditions or with the prior written consent of Mondaq Ltd. You may not use
electronic or other means to extract details or information about Mondaq.com’s
content, users or contributors in order to offer them any services or products
which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the
suitability of the information contained in the documents and related graphics
published on this server for any purpose. All such documents and related
graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or
its respective suppliers hereby disclaim all warranties and conditions with
regard to this information, including all implied warranties and conditions of
merchantability, fitness for a particular purpose, title and non-infringement.
In no event shall Mondaq Ltd and/or its respective suppliers be liable for any
special, indirect or consequential damages or any damages whatsoever resulting
from loss of use, data or profits, whether in an action of contract, negligence
or other tortious action, arising out of or in connection with the use or
performance of information available from this server.

The documents and related graphics published on this server could include
technical inaccuracies or typographical errors. Changes are periodically added
to the information herein. Mondaq Ltd and/or its respective suppliers may make
improvements and/or changes in the product(s) and/or the program(s) described
herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally
identifies you, including what sort of information you are interested in, for
three primary purposes:

To allow you to personalize the Mondaq websites you are visiting.

To enable features such as password reminder, newsletter alerts, email a
colleague, and linking from Mondaq (and its affiliate sites) to your website.

Mondaq (and its affiliate sites) do not sell or provide your details to third
parties other than information providers. The reason we provide our information
providers with this information is so that they can measure the response their
articles are receiving and provide you with information about their products and
services.

If you do not want us to provide your name and email address you may opt out
by clicking here .

If you do not wish to receive any future announcements of products and
services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to
view the free information on the site. We also collect information from our
users at several different points on the websites: this is so that we can
customise the sites according to individual usage, provide 'session-aware'
functionality, and ensure that content is acquired and developed appropriately.
This gives us an overall picture of our user profiles, which in turn shows to
our Editorial Contributors the type of person they are reaching by posting
articles on Mondaq (and its affiliate sites) – meaning more free content for
registered users.

We are only able to provide the material on the Mondaq (and its affiliate
sites) site free to site visitors because we can pass on information about the
pages that users are viewing and the personal information users provide to us
(e.g. email addresses) to reputable contributing firms such as law firms who
author those pages. We do not sell or rent information to anyone else other than
the authors of those pages, who may change from time to time. Should you wish us
not to disclose your details to any of these parties, please tick the box above
or tick the box marked "Opt out of Registration Information Disclosure" on the
Your Profile page. We and our author organisations may only contact you via
email or other means if you allow us to do so. Users can opt out of contact when
they register on the site, or send an email to unsubscribe@mondaq.com with “no
disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate
registration form. This is a personalised service where users choose regions and
topics of interest and we send it only to those users who have requested it.
Users can stop receiving these Alerts by going to the Mondaq News Alerts page
and deselecting all interest areas. In the same way users can amend their
personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an
identifying user number. The cookies do not contain any personal information
about users. We use the cookie so users do not have to log in every time they
use the service and the cookie will automatically expire if you do not visit the
Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to
personalise a user's experience of the site (for example to show information
specific to a user's region). As the Mondaq sites are fully personalised and
cookies are essential to its core technology the site will function
unpredictably with browsers that do not support cookies - or where cookies are
disabled (in these circumstances we advise you to attempt to locate the
information you require elsewhere on the web). However if you are concerned
about the presence of a Mondaq cookie on your machine you can also choose to
expire the cookie immediately (remove it) by selecting the 'Log Off' menu option
as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example,
advertisers). However, we have no access to or control over these cookies and we
are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement,
and gather broad demographic information for aggregate use. IP addresses are not
linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or
its affiliate sites) are not responsible for the privacy practices of such other
sites. We encourage our users to be aware when they leave our site and to read
the privacy statements of these third party sites. This privacy statement
applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or
contests. Participation in these surveys or contests is completely voluntary and
the user therefore has a choice whether or not to disclose any information
requested. Information requested may include contact information (such as name
and delivery address), and demographic information (such as postcode, age
level). Contact information will be used to notify the winners and award prizes.
Survey information will be used for purposes of monitoring or improving the
functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our
site, we ask them for the friend’s name and email address. Mondaq stores this
information and may contact the friend to invite them to register with Mondaq,
but they will not be contacted more than once. The friend may contact Mondaq to
request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’
information. When users submit sensitive information via the website, your
information is protected using firewalls and other security technology. If you
have any questions about the security at our website, you can send an email to
webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode),
or if a user no longer desires our service, we will endeavour to provide a way
to correct, update or remove that user’s personal data provided to us. This can
usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will
post those changes on our site so our users are always aware of what information
we collect, how we use it, and under what circumstances, if any, we disclose it.
If at any point we decide to use personally identifiable information in a manner
different from that stated at the time it was collected, we will notify users by
way of an email. Users will have a choice as to whether or not we use their
information in this different manner. We will use information in accordance with
the privacy policy under which the information was collected.

How to contact Mondaq

If for some reason you believe Mondaq Ltd. has not adhered to these
principles, please notify us by e-mail at problems@mondaq.com and we will use
commercially reasonable efforts to determine and correct the problem promptly.